We have updated our cookie policy. We use cookies to ensure that we give you
the best experience on our website. This includes cookies from third party social media websites and advertising. Such third party
cookies may track your use of this site.

At least three hospitals in the U.S. were affected: Princeton Community Hospital in West Virginia and Heritage Valley Health System, which includes two hospitals—Heritage Valley Beaver and Heritage Valley Sewickley—60 doctor offices and 18 community satellite facilities. After Heritage was infected, some surgeries were canceled and patients reportedly had to reschedule.

It’s been pointed out that the NotPetya attack occurred a day before a non-working holiday in the Ukraine and on the same day that a top Ukrainian military intelligence officer was assassinated. While a Washington Post article discusses Russia’s use of hybrid warfare, the intelligence officer was killed by a car bomb. Nevertheless, the Post talks about Ukraine needing to up its defense game against Russia. It writes, “We should all be invested in this, because while Ukraine may be the testing ground, the target is all of us.”

Microsoft patches would have prevented attacks

People unwilling or unable to apply Microsoft’s patches, which would have kept their boxes safe, should try the vaccine as described by Bleeping Computer. It is pointless to try to notify the ransomware’s author because the German email provider Posteo shut down the email address wowsmith123456@posteo.net; it was the contact address in the ransom demand.

Even if victims were willing to pay and sent $300 in Bitcoins to the author’s wallet, they were instructed to send their Bitcoin wallet ID and ransomware installation key to the author at the now-not-working email address. At the time of publishing, the wallet showed 45 transactions.

“Given this new ransomware’s added lateral movement capabilities, it only takes a single infected machine to affect a network,” the company said.

Microsoft added that the ransomware uses multiple methods to spread:

Stealing credentials or re-using existing active sessions

Using file-shares to transfer the malicious file across machines on the same network

Using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

NotPetya uses NSA-linked EternalBlue and EternalRomance, which were released by the Shadow Brokers; Microsoft released patches for both back in March. It’s nearly July, so if you think no one will know you didn’t deploy patches in a timely fashion, then get infected and think again.

Yet clearly some people did not deploy the fixes, perhaps because a kill switch was so quickly found for WannaCry. Some organizations haven’t patched because they can’t afford the downtime, but surely mitigating the problem would cause less downtime than being a ransomware victim?

Shadow Brokers' July dump of the month and VIP service

Speaking of EternalBlue and the Shadow Brokers, did the group ever follow through with the June data dump promised to subscribers? The Shadow Brokers claimed it was a big success, but security architect Kevin Beaumont noted that he’d seen no evidence that the dump happened.

It’s worth noting that the Shadow Brokers targeted one specific individual in its July dump of the month subscription pitch. Apparently, this “doctor” who hammered them via Twitter really got under the group’s skin. It started digging into who the “doctor” really is, claimed he is a former NSA-linked Equation Group developer, and threatened to dox him if he kept trolling.

This month, the Shadow Brokers announced a VIP service in addition to the dump of the month club. 400 ZEC will allegedly get the group’s attention enough to spill what it knows about specific questions asked, such as about a vulnerability or intel. The July monthly dump would cost subscribers 200 ZEC or 1000 XMR.

The group said it would include a “mystery gift” as some people sent a small payment with a hidden service URL. The Shadow Brokers won’t bite at the bait, but it is offering it to others. About this “mystery gift,” the group claimed, “Smelling hidden service FBI hackish.”

Apparently @shadowbrokerss threatened me in his new post. 1) don't feed trolls. 2) I was never equationgroup. 3) let's meet in vegas